The risk warning report records and summarizes common attacks that occur on your network assets, and provides you with risk warning information. You can view the following risk warnings: known hacker attack, WordPress attack, suspected attack, robots script, crawler access, and SMS abuse.

By default, the records are displayed in details. You can also view the attack statistics. Attack statistics displays the distribution of security attack types, top 5 attacker source IP addresses, and top 5 attacker source regions.

HTTP Flood: displays the records of HTTP flood attacks inspected by WAF. You can select the domain name and query time to view the corresponding records.

The real-time total QPS and attack QPS records are displayed at the top of the page, and all HTTP flood events are displayed at the bottom of the page. Alibaba Cloud WAF defines the HTTP flood attack as follows: attack duration > 3 minutes and attack frequency (per second) > 100.

HTTP ACL Event: displays the ACL events for a domain name. You can select the domain name and query time to view the corresponding records.

On the
Risk Warning tab page, select a risk type to view details. You can view the following risk records:

Hacker attack

Risk warning provides the hacker profiling function based on Alibaba Cloud big data analytics and the attack source tracing capability. This function identifies and records the malicious behaviors and activities of recognized hackers on your website. These behaviors include footprints, scans, and attacks. A hacker can be an individual or it can be a group of hackers, with real identities. When you receive such alarms, it means your website is hacked by a known hacker.

Dots in the figure indicate the activity of hackers on the corresponding date. Click a specific dot to view the detailed attack record. Here,

Different lines stand for different hackers. Click hacker information to view the characteristics of the hacker.

The severity of the hazard is gauged by the color of the dot. Darker the color, more severe is the hazard.

The size of the dots indicates the frequency of attacks during the day. Bigger dots indicate more attacks and smaller dots, lesser attacks.

Defense: The attack displayed in the report is intercepted by WAF. You do not need to worry about it. We recommend that you pay attention to non-web services security on the server because the hackers may try various options (for example, SSH and database port) to penetrate into your website.

Wordpress

Risk warning detects WordPress attacks according to attack features described in Prevent WordPress bounce attacks. If the number of such warnings keeps increasing, your server may encounter this kind of HTTP Flood attacks these days.

Defense: Configure HTTP flood protection according to the defense suggestions provided in the preceding document.

Suspected attack

Based on the exception detection algorithm of big data analytics, WAF screens suspicious access requests, which may include abnormal parameter names, types, sequences, special symbols, and statements, for you to perform further analysis and provide protection based on service features.

The risk warnings highlight the abnormal portion. For example, the request shown in the following figure includes two repeated parameters and is not connected with the conventional “&” symbol.

Defense: The alarm here reports a suspicious request, which may be a normal request of a special service or a variant attack. Analyze the alarm based on features of your service.

Robot Script

WAF supports detecting features of common machine script tools, such as Python2.2 and HttpClient. If you have not submitted a large number of requests through the test tool recently, the alarm number indicates the number of malicious requests received or detected from some machine script tools. It may also include the tools used to test the traffic pressure or initiate HTTP flood attacks.

WAF supports detecting crawler requests (including valid crawlers such as Baidu spider). If the number of this alarms is high, the number of requests increases abnormally on the server, and the CPU usage increases, the website may encounter malicious crawler requests or HTTP flood attacks that are masqueraded as crawlers.

WAF supports detecting requests on interfaces such as the short message registration interface and short message verification interface. If you receive more alarms, your short message interface is being abused (causing high short message overhead).

Defense: Click View Details to view specific requests. You can analyze whether the invocation is normal service invocation based on the source IP address and interface to which most requests are sent. If not, we recommend that you use Data Risk Control and Custom HTTP flood protection to protect the abused interfaces.